Samsung Phone Studied for Possible Security Gap

Jonathan Cheng reported exclusively that new security software for Samsung’s top-of-the-line smartphones may have a critical security flaw.

The story gave readers important information about a key product for Samsung’s mobile business, building on an article earlier in the month that detailed the problems Samsung has had in developing its security system for mobile devices, called Knox.

2:42 PM Dec 23, 2013

Samsung Phone Studied for Possible Security Gap

By Jonathan Cheng

SEOUL—The security platform for Samsung Electronics Co. ‘s best-selling Galaxy S4 smartphone suffers from a vulnerability that could allow malicious software to track emails and record data communications, according to cybersecurity researchers at Israel’s Ben-Gurion University of the Negev.

The alleged security gap, which the researchers say they discovered earlier this month, comes as Samsung pitches the new security platform called Knox to potential clients at the U.S. Department of Defense and other government and corporate entities, in a bid to compete with BlackBerry Ltd., whose devices have been considered the gold standard among security-conscious clients for years.

Samsung said it was looking into the allegations, but said that an initial investigation showed the problem wasn’t as serious as the Israeli researchers have maintained.

The researcher who discovered the alleged problem at Ben-Gurion University’s Cyber Security Lab, Mordechai Guri, said the vulnerability would allow a hacker to “easily intercept” secure data of a user of a Knox-enabled Galaxy smartphone.

In a worst-case scenario, he added, a hacker could modify data and even insert hostile code that could run amok within the secured network.

“The new unveiled vulnerability presents a serious threat to all users of phones based on this architecture, such as users” of the Samsung Galaxy S4, Dudu Mimran, the lab’s chief technical officer, said in a statement.

A spokesman for Samsung said the company “takes all security vulnerability claims very seriously” and promised to further investigate the university lab’s claims.

However, a preliminary investigation by Samsung showed that “the threat appears to be equivalent to some well-known attacks,” the spokesman said.

The spokesman added that the university lab’s breach of the system appeared to have been conducted on a device that wasn’t fully loaded with the extra software that a corporate client would use in conjunction with Knox.

“Rest assured, the core Knox architecture cannot be compromised or infiltrated by such malware,” he said.

Lt. Col. Damien Pickart, a spokesman for the U.S. Department of Defense, said the government doesn’t comment on possible security vulnerabilities, but added that no device would be used by the Pentagon until it is proven secure.

The Samsung Knox security system isn’t yet approved for use on Pentagon networks, Lt. Col. Pickart added, but he said that the Defense Information Systems Agency, working with the National Security Agency, purchased 500 Galaxy S4 devices for testing as part of a pilot program.

“They have not been deployed and remain in testing,” he said.

More generally, officials have said they are aware security vulnerabilities have been found in the Knox platform. The company has said it is working with the Pentagon to address these issues.

Such vulnerabilities, officials said, are common, and officials said that they hope they will continue to be discovered and fixed while the device is being tested for use on secure networks.

If the Samsung phone is approved for use on Pentagon networks, officials will also determine if the phone can be used for classified communications, Lt. Col. Pickart said.

In the event that the researchers at Ben-Gurion University are correct, the researchers said that the security vulnerability would classify as a “category one” vulnerability.

That is the most serious of its kind, according to a May 3 document discussing Samsung’s Knox program, published by the Field Security Operations of the Defense Information Systems Agency, which manages device approvals for the Pentagon.

Outside the Pentagon, the Galaxy S4 is one of the world’s most popular smartphones. While Samsung doesn’t regularly release sales data for its devices, the company said in May that it sold more than 10 million units within the first month of its commercial debut.

Knox wasn’t initially preloaded on Galaxy S4 devices, but users can now download the system. It is preloaded on the Galaxy Note 3.

The system can be turned off by any user. Israeli researchers said they have only discovered the problem on the Galaxy S4.

Mr. Guri said that he stumbled upon the security hole while working on an unrelated project related to mobile security. He said that his results tested out on multiple Galaxy S4 devices that had been purchased through retail stores.

Mr. Guri said it was unclear how long the vulnerability has existed.

Mr. Guri’s doctoral adviser, Yuval Elovici, said in a phone interview that his student’s discovery was “very, very alarming.” Mr. Elovici, who runs the university’s Cyber Security Lab, says the lab also does work for Israel’s Ministry of Defense.

Patrick Traynor, a computer-science professor and specialist in mobile security at Georgia Institute of Technology, said that the vulnerability appeared to be legitimate. But he said it was hard to determine at this time whether the problem was one that could be fixed easily, or whether it would require much deeper work at the root of the Knox system.

“It is not surprising that Knox, much like all software, has some unintended weaknesses,” said Mr. Traynor, who isn’t involved either with Knox or the Israeli researchers. “However, this problem appears to be serious enough that it should be patched immediately.”

The question of mobile devices is important for cybersecurity experts like Mr. Traynor, who say that many of our most critical operations and data will soon reside on our phones.

Samsung has gone to considerable lengths to integrate Knox into every aspect of its phones’ hardware and software development, and designed the system so that sensitive, work-related data could be stored in a password-protected “container” within the phone, completely separate from a phone’s other functions and apps.

The goal: to allow government and corporate employees to use their own devices at work, without compromising the security of confidential work data.

After years of issuing BlackBerry devices to Defense officials, the Pentagon says that it is now developing a communications system that will support Apple, Android, BlackBerry and Windows-based products, as part of a bid to allow employees to bring their own devices and use them on government networks.

“Our strategy to establish a multivendor environment was designed to mitigate problems that might occur as part of normal deployment of new products,” Lt. Col. Pickart said.

Several security vulnerabilities have already emerged as Samsung develops and rolls out Knox—a normal part of software development processes, according to one person familiar with the project. Samsung has said it is working to fix these issues with Knox.

Earlier this month, the company said it had released a patch to address a separate vulnerability that affected Knox on Samsung’s Note 3 smartphone.

In a statement, Samsung said that the Note 3 vulnerability posed a “threat to the integrity of Knox-enabled devices,” but said that it had fixed the problem and that “security patches are being rolled out for all vulnerable models.”

In the case of the vulnerability alleged by the Israeli researchers, even a relatively unsophisticated app, such as a mobile game aimed at children, could exploit the device’s security, said Mr. Mimran of the Israeli lab.

Even if such an app were installed on a device outside the Knox container, that malware could be activated to record all data communication taking place inside the container.

“For us, Knox is state-of-the-art in terms of a secure mobile architecture, and I was surprised to find out there was such a big ‘hole’ that was left untouched,” said Mr. Mimran, who added that he was willing to work with Samsung on the issue.

Email *Please fill in the required field. By clicking submit, I agree to the Privacy Policy and Cookie Policy and I understand I will receive marketing communications from Dow Jones professional information products from which I may unsubscribe using the links provided.

Thank you

Thank you for subscribing, your information has been submitted successfully.